If you like, you can
email a consultant with your
question or suggestion.

Introduction

Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis)
distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples
may include generic security advice, specific security warnings, development practices, and application
tuning. The only caveat on reuse of information from this site is in accordance with the
following paragraph.

Use and reuse of information from this site requires written acknowledgement of the source for
printed materials, and a hyperlink to the parent
Sûnnet Beskerming page for online reproduction.
Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the
site owner. Personal and educational use is granted without
additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement
is encouraged from site users as to what amounts to "fair use". Please contact
us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your
reproduction.

A Week For Security - 30 May 2005

Purdue University in the United States has
reported its third theft of electronic
information this calendar year. In this case, 11,360 past and present employees may have had their records
accessed. Although smaller than a number of other security breaches reported this year, it is the latest in a
disturbing trend of University breaches. In an identity theft case which used employees instead of system breaches
to steal identity data, New Jersey police are reporting that the largest breach of banking security in the United
States has grown to encompass at least 676,000 individuals. In
this
case, it was employees of banks who manually copied out account information which was then forwarded to a
holding firm. Where a normal bank employee would be accessing 40 to 50 account searches per day, the accomplices
were accessing ten times that amount. The data was being sent to a company which then sold the information to legal
firms, private detectives and other third parties. The key difference between this case and the ChoicePoint breach
reported earlier is that ChoicePoint obtained the data legally and sold to unknown parties.

A recent deconstruction of the Witty worm has revealed some interesting information about the possible source of the
worm which was one of the fastest spreading Internet worms to date. The Witty Worm was targeted at systems that ran
a specific firewall application from ISS, a security product vendor. Designed to disable the firewall, spread itself
automatically, then overwrite sections of the local hard drive, the Witty worm was not only fast spreading, but
actually possessed a malicious delivery payload. A flaw in the method used to generate new addresses to attack meant
that 10% of the available internet address space would never have been attacked, as the addresses would never appear.
A common IP address to all samples of the worm, even after observing the random address generation, indicated that the
infection originated from a client system in a large European ISP. The attack from the worm targeted a number of
systems at a US military base in Europe in the initial attack spread. The intentional targeting of systems at the US
military base suggests that the creator of the worm had specific inside knowledge of the client list for ISS products.
In addition, the use of an undisclosed vulnerability also suggests that the hacker had access to ISS or a security
company such as eEye, and the unpublished research into vulnerabilities for that application.

The uniqueness of the vulnerability, which effectively could not be scanned for without exploitation, indicates that
the rapid spread of the worm was due to a-priori knowledge of the install location for the affected ISS product, which
would have been hardcoded into the worm. People claiming to be ISS company representatives, posting on various internet
forums, believe that the author was an insider, but have not been able to identify them. Witty was unique in its ability
to fit inside a single UDP data packet and not impede it's ability to spread, even with a malicious payload. For such
a malicious, nasty worm it is quite a beautiful creation (in a horrid sort of way), and quite possibly indicates a new
breed of malware creator, the talented, motivated malicious individual who is an expert at their skillset.

Continuing with the theme of the big bad Internet, an old extortion technique has resurfaced. A Trojan-downloading
infection tool, known as download-aag or Pgpcoder, utilises known flaws in Microsoft Internet Explorer to retrieve
the malicious content on to the local system. Once in place, the malicious tool actively searches the local system
for files with certain filetypes (such as Word documents and Excel spreadsheets), encrypts them, deletes the original,
then leaves a message demanding $200 USD for a tool to decrypt the documents. This technique was originally tried as
the payload of a virus several years ago, but the weak encryption implementation was easily bypassed, and the financial
extortion led to a concerted effort to track down the originator. The original site that hosted the malicious
downloader has since been taken offline, but, as with all things on the internet, once the information is out there,
it can never be removed. The other good news is that the distribution of victims has been small, and doesn't seem to
be increasing significantly.

In online safety news, the Bank of America (BoA) has
announced their new
authentication technique, designed to reduce the effectiveness of phishing attacks against their customers. BoA are
partnering with PassMark Security to provide this service to their
customers. With more than 13 million customers accessing their BoA accounts via an online interface, the bank is
claiming that the extra authentication methods are going to alleviate the risk of phishing attacks succeeding. The
not so good news is that it only solves one class of phishing attack, that which is obviously a fake site. It forces
phishers to become more technical in their approach to phishing BoA customer data, making their sites more difficult
to sort out from the legitimate sites.

The name of the BoA solution is 'SiteKey' and is comprised of a known password authentication, along with secondary
authentication of a known secret / image / human voice contact. Once a computer has been used for authentication it
will remain authenticated for future contact, presumably from a specially crafted internet cookie. If a computer is
stolen, this authentication mechanism would presumably not require re-authentication, allowing the thief to effectively
bypass it. The additional system resources required for the storage of unique images for every customer would not be
trivial, and forces users who browse without the use of images or visually impaired users to use one of the remaining
authentication methods, weakening the apparent strength of the design. If there are not unique images for every
customer, there is a finite chance that a phishing site is going to be able to guess the image when trying to
authenticate to victims (if it doesn't already pass it through from the real site).

One of the key claims from the BoA site is that the 'SiteKey' solution allows users to validate that the BoA site is
the real site, and not something fraudulent. This claim is false. At best, it gives the customer a
better feeling about what they do with their online banking information without actually increasing the security. In
real terms, it may actually decrease the security as customers become used to entering their account data into web
pages that appear to be correctly implementing the 'SiteKey' solution. Encryption and information security guru,
Bruce Schneier, has opined that these sort of attempts at improving security merely shifts the problem to other areas,
and can only serve to frustrate legitimate users. The analogy that he uses is motor vehicles. As cars have become
more difficult to hotwire and include more anti-theft devices, it forces the criminals to move from theft when the
owner is not present, to theft when the owner is present and the antitheft devices have been deactivated. Thus,
partially solving the problem of car theft when no one is present has led to the significant increase in violent
carjackings as the thieves effectively bypass the antitheft systems.

The Esperanto Security Suite, as discussed in the column on Knoppix CD usage in banking from last month, neatly solves
all of these problems, with a secure implementation of two-factor authentication which can not be spoofed.

Another online safety story from the week is news that the founder of a site designed to assist consumers in avoiding
CNP Credit Card fraud, has
fallen victim to the very fraud that he is trying
to raise awareness about. This does not mean that his efforts are worthless, instead, it highlights how easy it is
for this type of fraud to be carried out without a lot of interaction from the victim. CNP fraud is carried out when
there is no need for the physical presence of the customer to process a credit transaction. Online purchases,
telephone payments, and a range of other transactions can be susceptible to this type of fraud since they do not
require a physical presence to enact the transaction. The lack of a verifiable customer signature for these types
of transaction removes one of the security measures that exists in face to face transactions.

Further to last week's report about the Australian Democrat's bill before Federal Parliament about introducing fines
for unauthorised installation of software on a user's computer, the US House of Representatives has recently passed
similar bills, the SPY Act, and the I-SPY Act. While not passed into law, yet, the I-SPY Act allows for jail terms
of up to five years to be awarded as punishment for an unauthorised breach of a computer system which is then used
to commit another US Federal crime.

While two wrongs do not make a right, sometimes watching natural justice take its course is quite pleasing. Website
defacers have recently gone after phishing sites with a greater rate of effort. Although there have been examples
from 2003 where defacers have targeted phishing sites, it seems that there is a growing trend where the defacers
actively seek to exploit the phishing sites. On one level, this is a positive thing, as it could serve to warn
phishing victims that they are not visiting the legitimate site that they think they are. Although the site
defacements may be the result of good intentions, this activity remains illegal. Overall website defacement on the
internet is reported to have grown by 36 percent over the last 12 months, so the targeting of phishing sites could
help divert the attention of those who deface websites from valid sites. Simple advice, which is still the best way
to avoid losing data through phishing attempts, is to never give out personal or sensitive data in response to an
unsolicited email, even if it appears to be from a company that you do have dealings with.

A recent court case in the United States of America may have widespread consequences for the use of encryption software
by consumers. The particular case involved a prosecution for child pornography images, where the suspect was using
the PGP application to encrypt certain communication. The judge ruled that having encryption software on a system
was able to be ruled as relevant to the prosecution's attempts to prove criminal intent. The use of encryption
software and tools is recommended for all computer users as it helps to keep private data safe from misuse in the
case of unauthorised access to their systems. For most users, who will never be arrested, this is not a problem.
However, for those users who might be arrested at some time for a computer related crime, the presence of any
encryption software may be ruled to be relevant to the prosecution case for establishing intent.

Also of interest in the last several days is reporting that the CIA is running a paper exercise where terrorist
attacks conducted by anti-American and anti-Globalisation groups are channeled through the Internet. Dubbed
'Silent Horizon', the exercise is designed to identify and theorise how government agencies and industry bodies
might respond to escalating attacks and disruptions over the period of many months. The exercise is based on
theoretical events happening five years into the future, so the infrastructure and capabilities of the Internet
should not be all that different from the current technologies. The concept of an unannounced major attack against
a specific group of interests has been mentioned numerous times by various information security figures, and has
been dubbed a digital Pearl Harbour. The concept of a digital Pearl Harbour is similar to the surprise Japanese
aerial attack which brought the USA into World War II. Essentially, a massive surprise network attack is launched
and timed to use new vulnerabilities that have not been made public, with the goal of causing major havoc on a system
or network. The digital Pearl Harbour concept has been considered extremely unlikely by a number of security
researchers, and has not attracted a lot of mainstream attention as a result. Some forum commentators humorously
opine that, while a digital Pearl Harbour might be nice, they are waiting for a digital Hiroshima.

In terms of overall threats, the threat of cyberterrorism is considered a lower threat than physical attacks against
infrastructure. The unique nature of the Internet means that a 'cyberterrorism' attack could be anything from a
dedicated hostile government, through to a group of bored teenagers, with the same results from either group. The
real threat posed to systems is a source of frequent discussion, with various known criminal interests, rumoured
military hacker units in North Korea (and possibly other countries), hacker groups, and bored teenagers all posing
real threats to current infrastructure.

Criticism targeted at the exercise was largely centered around a claimed lack of imagination by the organising
agencies. Critics felt that the exercise was too limited in scope and did not necessarily reflect what the situation
might be like in the case of an attack. They also claim that the agencies fail to recognise and adequately prepare
for what is happening today. The recent Cisco network breach was estimated to have been the responsibility of a
single individual who then also managed to gain root-level access to more than half of the computers that they
tried to penetrate in a two day period. Root level access allows them to do anything they want with a system,
and once this is compromised, all assurances of data and system integrity are removed.

Unfortunately, there wasn't enough column space this week to cover the malicious software posing as a Window update.
Expect to see it next week, along with a rundown on the effect that patent laws are having on the ability of companies
to develop new and innovative software applications, unless, of course, more pressing news needs to be reported on.

German Spam - 23 May 2005

The recent spate of German Spam, and the announcement by the Australian Democrats about an anti-spyware
bill are the main topics of discussion for this week's column. If readers have any requests or suggestions
for further topics or areas of discussion, please send an email to
info@skiifwrald.com.

The problem with having non-technical people managing and directing technical progress / capability, whether
it is in a corporate setting or a government, is that the best intentioned concepts may be doomed to fail due
to a lack of understanding of the technology. Recently, on May 12, Australian Democrats Senator Brian Greig
submitted a bill to the
Federal Parliament proposing that any entity that installed software on a user's computer without consent
would face a fine of $10,000. The immediate issue is that the people and companies involved in spyware /
adware / malware creation and distribution will ignore this if it becomes law, merely shifting their base
of operations to countries outside of the reach of Australian law enforcement. The other, more critical,
issue is the use of 'click through' EULAs with the
installation of these applications, which then move the responsibility for the installation to the user and
makes it a consenting installation, such as used by Gator and Bonzi Buddy, two nasty pieces of malicious
software.

These licence agreements have yet to be tested in a court of law, and it is rare that users actually
read through the content of these agreements, which can be quite restrictive or allow scary levels of access
to the system by the company that developed the application. For example, the EULA associated with the
Windows Operating System absolves Microsoft of any responsibility should the failure of their operating
system cause major financial loss and damage to the user. Some EULAa even go so far as to exclude the use of
the software in safety critical areas, claiming that it will be at the user's own risk if they choose to
proceed with such an installation. A major issue with EULAs is that people just don't read them when they
install software. This is sometimes the desired effect from the software companies, with the EULA attached
to one piece of spyware being more than 5,000 words. PC Pitstop actually went as far as to offer money to
users who read through one of their EULAs. It took more than 3,000 downloads before someone contacted
them about the money. The lucky user was given a cheque for $1,000 USD.

The Democrats Anti-spyware bill is likely to be as successful as the Anti-spam laws in Australia and the USA,
which have been seen to be completely ineffective in practical terms, that of reducing spam email traffic,
despite a significant proportion of spam originating from the USA.

Of greater immediate concern to most users is the
recent announcement of a major flaw with
Microsoft Internet Explorer (MSIE), Outlook and several other miscellaneous titles (not named). Apparently
the flaw exists with the default installation of these applications, and allows remote execution of code
with minimal user interaction. Existing users of Internet Explorer and Outlook should already be very
careful with their application usage habits, however this announcement should serve to reinforce that idea,
and prompt those who haven't already done so to install a firewall and system monitoring software. Users should
expect more information to be released in the coming weeks.

German language spam is not a common occurrence in most English speaking countries, but there has been a run of
spam emails in German flooding inboxes over the last week, starting on 14 May. Although they don't usually
deliver spam, the culprit was an email worm that spreads through Microsoft Windows based systems. The
Sober email worm has been around for a while, and is now up to the 17th incarnation, identified as Sober.Q
by various anti-virus vendors, and it was this version which released the German spam on the world. It was
actually the 16th variant, Sober.P, which then downloaded the 17th which then spewed spam out across the
internet. Oddly enough, the spam was not for any commercial product, but was timed to coincide with the 60th
anniversary commemorations of the end of World War II in Europe. Many of the sites linked in the emails were
classified as 'extreme right wing' and 'NeoNazi propoganda'. In addition to the anniversary, the German state
with the greatest population will be holding an election on May 22, and some observers believe that the spam
release may have been motivated by that occurrence.

The 7th variant of Sober, Sober.G, was released last June to coincide with the European Parliament elections,
and also spammed related messages, so there is a precedent which also happens to use the same family of worm.
Like the Sober.P - Sober.Q relationship, Sober.G downloaded Sober.H, which was the spamming variant.
Technically, Sober.Q is not a worm or virus, but a spam engine. Some reports were even made that mobile phones
and Blackberries (hand held email devices) were being spammed via SMS as a part of this attack, although it is
likely that this was merely an email - SMS gateway sending on messages as it is supposed to, and not a direct
SMS attack against devices that can not access email.

Like a lot of current email spread malware, the Sober family of worms uses forged headers when sending out
messages, which means that the From: line in the email message is not who sent it. Forged headers hide the
source of the message from the average user, and can make it look like it is from someone they know. A forged
header also serves another purpose, as when anti-virus / anti-spam monitoring applications may bounce /
auto-reply to infected messages. This then sends pointless emails to the unsuspecting victim who was set up
as the From: line. In internet parlance, this is known as a 'Joe Job', and can cause a problem when over-zealous
administrators, or frustrated users complain to / about the victim. There have been cases where ISPs have
suspended accounts due to complaints received about a customer who was the victim of a 'Joe Job'. If you are
the victim of a 'Joe Job', it doesn't necessarily mean that you have any malware on your system, although it
couldn't hurt to check, anyway, and it can get annoying receiving abusive emails about being responsible
for sending out viruses.

Next week's column will discuss the recent spate of fake Microsoft patches, which are Trojan Horse
applications in disguise, and another spate of Identity theft cases in the United States, including
the highest number of bank account breaches to date.

Cisco Theft 12 Months On - 16 May 2005

Twelve months ago Cisco was the victim of a network penetration,
which resulted in their IOS source code
being compromised. The IOS is the operating system used by Cisco networking hardware, a large
number of which effectively form the backbone of the Internet. At the time, there was little
news about it, with only some minor reporting on various security and technology related websites.
There was little information being made available, with the public reporting starting once a 2.5 MB
section of code was posted to a Russian IRC channel.
Cisco was keeping quiet, only confirming that they had a compromise, and the details were being left
to the hacker, who posted a code sample to prove his story. The complete size of the code copied out
was reported at 700 MB, including IOS 12.3 and 12.3t. Although the breach was not widely reported at
the time, the New York Times recently ran a story purporting
to describe how the network intrusion and compromise took place.

The author of the New York Times article was John Markoff, known for his novel CyberPunk and the Kevin
Mitnick story. He is regarded as being responsible for the fear and paranoia surrounding Kevin Mitnick
(a gifted conman who also had a decent level of technical skill). While he writes articles that are good
reading, there are many information technology people operating in the grey areas of the law who regard
him as being obsessed with money and story before factual reporting. In his defence, it is difficult to
accurately report technical news in a non-technical manner, but his methods and reporting have been
called suspect by the people he reports on (i.e. the people operating in the grey areas of the law).

John Markoff describes the mechanism of the attack as resulting from a compromised university network in
Uppsala, Norway. Apparently a teenage hacker managed to exploit a known flaw in an application used to
establish a SSH connection between computers. Basically, a SSH
connection allows a user to log in remotely to another computer on which they have an account, and do so
over an encrypted connection. With this application compromised, the hacker caught the login process from
someone who was connecting to an internal Cisco system, which he then grabbed and used to eventually grab
the source code to IOS. Eventually the hacker got caught, after he was bragging and taunting users on
other networks that he managed to penetrate.

While the details may or may not be true, it does highlight how major security breaches can come from
unexpected directions. Information security professionals, who are expected to be paranoid as a part
of their job, fear about the network intrusions that are not reported, or never found. With increasing
attention payed by organised crime interests to online crime, it is only a matter of time until a hacker,
or group of hackers, refine their art to the point that they are effectively undetectable, and work to stay
invisible with their crimes. It is possible that such capability already exists, but it would be impossible
to know, as they would have made themselves invisible. Technically, it is not possible to be completely
anonymous, however, practically, it is relatively simple.

Theoretically, if the hacker who had stolen the IOS source code had kept quiet, and not posted the sample,
this probably never would have been reported on. If they had then gone on to find a set of major
vulnerabilities in the source code, which they could exploit efficiently, there is no limit to the amount
of damage that they could have caused to the Internet. Although the Internet is designed to be decentralised,
and able to route around failures, an accurate attack on Cisco hardware would effectively cripple the Internet,
especially if a corresponding failure was found in Juniper network hardware. This information could have
sold for an immense amount of money to criminal interests or rogue nation-states. The power that could be
wielded with such knowledge is almost beyond belief. Being able to pull the plug on the Internet for any
country / agency / company at will would just be the start of it. Like any computer based attack, once it
is used, it is in the wild and can be deconstructed and disabled. Using such a powerful weapon would also
be a one-off, it is unlikely that the flaw exploited would last for long, and the attack source would be
traced and wiped out by a number of very annoyed governments.

For the more technical readers who maintain an IDS of
some sort, recent reports have indicated that one of the more popular security applications, Ethereal, has
had two exploits made public. An IDS, and other related network analysis tools, can be amazingly useful to
help administrators determine what is happening on networks of interest, and can be used to highlight
malicious traffic as it starts to happen, so action can be taken before it destroys systems and networks.
Because these tools can be used to detect major disruptions before they have a major effect, some malicious
software aims to disable these tools as a part of the infection. A lot of malicious software is already
designed to shut down firewall software, anti-virus software and other protective applications, before
continuing with the remainder of the negative payload. The next major problem would be a 'killer packet'.
Information being transmitted across any network is broken down into 'packets', transmitted, and then
reassembled into a copy of the original information (much as parcels go through the postal system). A
'killer packet' is a specially created parcel of information that enters a network and is designed to disable
any application that is monitoring network traffic, which then allows the rest of the malicious software
through without being noticed.

Related to the recently reported issues with a Trend Micro anti-virus definitions file, Symantec's Norton
Anti-Virus (NAV) on the Apple Macintosh OS X platform has experienced a similar problem, as reported by The
Register recently. A recent
virus definitions file update falsely identified the swap files (files on the hard disk used to augment the
physical RAM in a computer) as containing "Hacktool.Underhand", and led to system crashes for some users.
The NAV versions affected by this issue included:

NAV 9.x with definitions file dated 28 April

NAV 7.0.2 and 8.x with definitions file dated 1 June

Symantec advises current NAV users to update to the latest versions of the virus definition files, which have
been corrected.

Microsoft just don't seem to have a lot of luck with the security of their delivered products.
The Register reported recently on an online security competition known
as 'The Gatekeeper Test' that Microsoft was running for people from Africa, Europe and the Middle East. While
the concept of the competition was sound, and the questions appeared to be reasonable, the implementation of the
test left a little to be desired. Users found that sometimes their responses were not accepted (a 404 page was
returned), and in other cases users discovered that even if they had submitted an incorrect answer, use of the
back button in the browser would allow them to try again without penalty. Apparently similar methods could be
used to inflate scores above the maximum daily allowable points allowance.

After disabling the competition interface, Microsoft released a statement which described the source of the issues
as being a technical malfunction in their server farm, when several servers lost state information (e.g. the total
number of points for a particular user, or their progress through the test), however the test would be reinstated
at a later time.

Beware of Clicky, and Where is Google? - 09 May 2005

Instant Messaging (IM) applications, such as MSN Messenger, ICQ, AIM and iChat have grown in
popularity in recent years as they allow near realtime text communication between two or more
people across the internet (or local networks). Some applications even include voice chat,
video chat, games, file transfer, and a range of other features.

While computer users are slowly becoming more aware of the risks of clicking random links in
unsolicited or strange looking emails, the perceived increased personalisation of IM means that
some users let down their guard slightly and will click links suggested by other IM users.
Worms, viruses and trojan horses are now taking advantage of this mannerism by hijacking,
or creating new, IM sessions and sending suggested links to other users listed in the 'Buddy Lists'.
When these links are clicked, a range of malicious software is downloaded such as spyware, adware
and viruses. The malware installs itself at this time, and then looks to propogate itself again
using the new list of IM users on the victim's computer.

Unless a computer user is expecting to be sent a link as part of the normal conversation flow, the same
caution should be applied as that which should be applied to unsolicited email message links. That is:

Beware of the Clicky.

In further news, Time Warner has had 600,000 of its employees' Identities compromised when an external
storage company lost the tapes that they were stored on. The tapes contained identifying information
for employess, dependents and beneficiaries dating back as far as 1986.

The latest in a long list of US Universities suffering from network intrusion is Florida University,
which effectively had its network compromised recently. Although only 5% of the computers were compromised,
3,000 systems are being inspected, upgraded and updated on the basis that the intrusion could have gained
access to all systems easily. This intrusion was only discovered when a single file was discovered on one
of the compromised systems. Given the number of files on an average computer, this would be an extremely
fortuitous discovery for Florida University.

The SANS Institute has released their list of the top 20
most critical vulnerabilities discovered or patched in the first quarter of 2005. In addition to the expected
Microsoft vulnerabilities, the DNS cache poisoning issue (subject of previous columns) was mentioned, as well
as buffer overflow vulnerabilities for various anti-virus products and media players. The anti-virus vendors
affected included Symantec, F-Secure, Trend Micro and McAfee. The media players affected included RealPlayer,
iTunes and Winamp.

A buffer overflow is where specially crafted content is forced into the memory allocated to an application.
This content overflows the amount of memory allocated (i.e. overflows the buffer) and allows the attacker
to execute the commands now placed in the overflowed area of memory, effectively compromising a system.

In other, more recent, news, popular Internet browser Firefox has been found to be vulnerable to arbitrary
code execution in all versions, which would allow a remote attacker to execute code at will on a victim's
computer with the victim only needing to click on a link / visit a website to activate the attack. There
is currently (at time of writing) no known solution except to disable JavaScript in the browser.

DNS issues continue to be reported, with Google creating their own nightmare over the weekend. Although
temporary, and with the details still being resolved, it appears that the records for Google were modified,
with different results delivered to users depending on how their local DNS servers were responding. As well
as the site not appearing, some users were directed to sogosearch.com (which identified as google.com).
This was not a hack, but a result of google.com being sent to google.com.net. Sogosearch owns the domain
records for *.com.net (i.e. any sitename.com.net), and this is actually correct behaviour. Google is denying
that it was an attack, and it appears that it was the result of modifications by Google to their own DNS record.

My AntiVirus Killed My PC - 02 May 2005

In rare circumstances auto-updating software, such as Anti-virus applications, can act
as security weaknesses rather than strengths. Recently such a case occurred when the
Trend Micro Anti-Virus application had a buggy identification file released. The culprit,
version 594 of their virus definitions file, would result in affected Windows PCs slowing
down significantly as their CPU usage ramped up to 99%, or greater.

This issue struck late on Friday afternoon, US time, after most personnel had departed for
the weekend. This saved a lot of obvious heartache, as there were not as many end users as
there otherwise might have been suffering from the slowdown. Unfortunately, however, this
meant that a lot of administrators and other technical personnel were scrambling to diagnose,
isolate, and repair the issues, costing them their Friday evenings, and into the weekend.

This is a practical example of why a completely homogenous environment, coupled with a lack
of proper testing procedures, is a dangerous situation. The danger of completely homogenous
environments, in particular those created by a monopoly presence, was elaborated in the now
famous White Paper "Cyber Insecurity: The Cost of Monopoly". The paper specifically focussed
on the potential for damage caused by the effective monopoly that Microsoft has, and how a
'monoculture', where one software provider, or one software type has absolute dominance,
creates a single point of failure for a complex system.

A real world example where a lack of diversification caused a major catastrophe was the Irish
Potato Famine of 1845 - 1850. In this case, the Irish farmers were only growing one primary
crop, the potato, due to its dense energy storage and the best return per acre for any food
available at the time. This also encouraged rapid population growth, as sufficient food was
available to support the population density. Initially, airborne fungal spores from North
America (via England) infected potato plants around Dublin, then rapidly spread to surrounding
areas. As the infection vector was airborne, and the weather conditions were suitable for
transmission of the fungus, the Irish potato crop soon failed nationally, and seed stores were
destroyed by the fungus. Previous crop failures were limited in reach due to infection vectors
being stopped by geography, different failure mechanisms, climate variations and so on. The
complete loss of the primary food crop, linked with the exportation of the remaining food crops
(cash crops), led to the mass starvation and emigration flows. Modern day equivalents are found
in lesser developed countries, where cash crops are the primary agriculture and fluctuations in
global demand and price leave countries vulnerable to minor shifts in the market.

Like the potato famine, failing to diversify your systems, or at least failing to properly test,
quarantine, and protect against externally introduced material, will result in a single point of
failure which can easily bring down whole networks. Not only is this important from an Operating
System point of view, but also with the applications being run on them. While cost and effective
interoperability concerns will limit the ability to diversify, an effective quarantine and test
environment should be in place, before implementing any application on protected networks.
Likewise, networks should be protected against external risks.

Several public system failures, particularly in Japan, came about as the result of the incorrect
virus definitions file. East Japan Railways were affected by the recent virus definitions file
problem, along with Osaka's municipal subway system, when various LANs went offline. A number
of Japanese news services and the Tottori Prefectural Government were also affected, along with
absentee voting for a number of prefectures.

The lesson to learn here is to always be careful with applications and Operating Systems which
automatically update themselves, as they could be the vector for destroying your data or network.

If you are still looking for the April columns, they have been archived, and you can find them via the
navigation link for Archives, on the left of the screen.